Stanford Breach Lawsuit SettledBusiness Associates to Pay for Most of Expenses
The breach occurred when a business associate's subcontractor posted on a website for nearly a year information about 20,000 patients treated in the hospital's emergency department, the healthcare provider organization says (see Stanford Reports Website Breach).
The information about patients treated between March 1 and Aug. 31, 2009, included patient names, medical record numbers, hospital account numbers, emergency room admission/discharge dates, medical codes for the reasons for the visit and billing charges.
In a March 24 statement provided to Information Security Media Group, Stanford Hospital & Clinics acknowledges a settlement has been reached in the class action lawsuit filed against the healthcare provider, its business associate, Multi-Specialty Collection Services, LLC and its subcontractor, Corcino & Associates "in connection with a past misuse of encrypted patient data by a SHC vendor."
The settlement of the Stanford Hospital & Clinics case comes less than six months after a $3 million settlement was reached in a class action suit involving a breach at health plan AvMed. That case stemmed from a 2009 data breach involving stolen unencrypted computers. Approximately 460,000 individuals in that settlement received $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement amount represented what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment, according to the settlement papers. The case was significant because it awarded payments to those who were not victims of identity theft.
Likewise, there is no evidence in the Stanford case that the information that was breached was used for nefarious purposes, Brian Kabeteck, founder and managing partner of Kabeteck Brown Kellner LLP, the law firm representing plaintiffs in the suit, told the San Jose Mercury News.
Unlike many other states' privacy laws, a provision under California's Confidentiality of Medical Information Act allows patients to bring an action against any entity that has negligently released individually identifiable medical information, seeking minimum damages of $1,000, with no proof of actual damage required, Kabeteck says in an interview with Information Security Media Group.
"This makes these actions much easier to pursue," he says. "This should be the model for the rest of the country. Once you release private medical records, you can't close the door to the barn. Bringing suits like this shows there are repercussions to not protecting patient information."
And because the Stanford case involved two vendors, which are bearing the bulk of the settlement costs, the incident should serve as reminder to other business associates of the importance of safeguarding electronic protected health information, Kabeteck says. Not only are business associates and their subcontractors directly liable for compliance under the HIPAA Omnibus Rule with fines of up to $1.5 million per HIPAA violation, but the vendors could face additional monetary burdens in civil suits related to breaches, he points out. "There is no good reason for data not to be encrypted, for data not to be protected," he says.
Under the terms of the settlement, Multi-Specialty Collection Services and Corcino & Associates will pay more than $3.3 million, with the money going to Stanford's patients and the attorneys who brought the lawsuit, according to the Stanford Hospital & Clinics statement. "There is no admission of liability by any of the defendants, but SHC is gratified that its patients will be supported and that this settlement may serve to reinforce vendors' privacy and security obligations when handling patient data," the statement says.
The settlement, tentatively approved on March 19 by a Los Angeles County Superior Court judge, would pay the patients involved a little more than $100 each, according to the San Jose Mercury News report.
"Federal and state government agencies reviewed SHC's actions, including its security and privacy safeguards, and determined there was no violation by SHC," the statement continues. "No deficiencies, fines, or penalties were assessed against SHC, and SHC has vigorously defended against this lawsuit."
In addition, Stanford notes, "To avoid the costs of continuing the litigation, SHC has agreed to participate in the settlement by contributing $500,000 to fund the creation of an educational project to be managed by the nonprofit California HealthCare Foundation."
The educational program "will help to reinforce, in practice, new federal regulations issued in 2013 that hold vendors directly accountable for privacy breaches," the statement says. "The goal is to prevent other patients from being affected by a vendor breach. SHC also will contribute $250,000 to cover administrative costs of the settlement to ensure proper notice to its patients and delivery of checks to its patients."
Kabateck says the money being paid by Stanford Hospital & Clinics to fund privacy education is important. "This will teach other providers and vendors about protecting data," he says.
Attempts by Information Security Media Group to obtain comment from Multi-Specialty Collection Services and Corcino & Associates were unsuccessful.